tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Luca Gervasi <tom...@ashetic.net>
Subject Re: Jailrootting
Date Wed, 23 Jun 2010 07:18:19 GMT
On Tue, 2010-06-22 at 16:25 -0400, Christopher Schultz wrote:
> On 6/22/2010 12:07 PM, Gregor Schneider wrote:
> > 2010/6/18 Mikolaj Rydzewski <miki@ceti.pl>:
> >> Luca Gervasi wrote:
> >>>
> >>> i can read my /etc/passwd from a malicious jsp.
> >>> Where can i find infos on limiting filesystem access / visibility ?
> >>>
> >>
> > 
> > 1st thing to do:
> > 
> > run tomcat as user "tomcat" (or whatever username u like)  with
> > limited rights - that should at least fix the possibility to cat
> > /etc/passwd
> 
> I've never seen a system where /etc/passwd wasn't world-readable.
> Otherwise, 'ls' doesn't even work well ;)
> 

Hi guys, thanks for answering me.

Tomcat uses a low privilege user and the system-wide permissions are
thus enforced by OS but...i can still read all the istance-wide files
(tomcat-users.xml, server.xml and any other 644 file).

I'm starting to read about SecurityManager, but i think that this should
be the answer i was looking for :)

Thanks 

Luca





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message